An indexed model of recursive types for foundational proof-carrying code
ACM Transactions on Programming Languages and Systems (TOPLAS)
Separation Logic: A Logic for Shared Mutable Data Structures
LICS '02 Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science
Certified assembly programming with embedded code pointers
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Modular verification of assembly code with stack-based control abstractions
Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation
An open framework for foundational proof-carrying code
TLDI '07 Proceedings of the 2007 ACM SIGPLAN international workshop on Types in languages design and implementation
A Certified Thread Library for Multithreaded User Programs
TASE '07 Proceedings of the First Joint IEEE/IFIP Symposium on Theoretical Aspects of Software Engineering
Certifying low-level programs with hardware interrupts and preemptive threads
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
CVM -- A Verified Framework for Microkernel Programmers
Electronic Notes in Theoretical Computer Science (ENTCS)
Combining Domain-Specific and Foundational Logics to Verify Complete Software Systems
VSTTE '08 Proceedings of the 2nd international conference on Verified Software: Theories, Tools, Experiments
Verified Process-Context Switch for C-Programmed Kernels
VSTTE '08 Proceedings of the 2nd international conference on Verified Software: Theories, Tools, Experiments
seL4: formal verification of an OS kernel
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
Using XCAP to certify realistic systems code: machine context management
TPHOLs'07 Proceedings of the 20th international conference on Theorem proving in higher order logics
On the correctness of operating system kernels
TPHOLs'05 Proceedings of the 18th international conference on Theorem Proving in Higher Order Logics
Hi-index | 0.00 |
With recent efforts to build foundational certified software systems, two different approaches have been proposed to certify thread context switching. One is to certify both threads and context switching in a single logic system, and the other certifies threads and context switching at different abstraction levels. The former requires heavy weight extensions in the logic system to support first-class code pointers and recursive specifications. Moreover, the specification for context switching is very complex. The latter supports simpler and more natural specifications, but it requires the contexts of threads to be abstracted away completely when threads are certified. As a result, the conventional implementation of context switching used in most systems needs to be revised to make the abstraction work. In this paper, we extend the second approach to certify the conventional implementation, where the clear abstraction for threads is unavailable since both threads and context switching hold pointers of thread contexts. To solve this problem, we allow the program specifications for threads to refer to pointers of thread contexts. Thread contexts are treated as opaque structures, whose contents are unspecified and should never be accessed by the code of threads. Therefore, the advantage of avoiding the direct support of first-class code pointers is still preserved in our method. Besides, our new approach is also more lightweight. Instead of using two different logics to certify threads and context switching, we employ only one program logic with two different specifications for the context switching. One is used to certify the implementation itself, and the more abstract one is used as an interface between threads and context switching at a higher abstraction level. The consistency between the two specifications are enforced by the global program invariant.